From: Adam Gołębiowski Date: Sun, 23 Sep 2018 18:35:22 +0000 (+0200) Subject: - new, raw from fedora X-Git-Tag: auto/th/tpm-tools-1.3.9.1-4~2 X-Git-Url: http://git.pld-linux.org/?p=packages%2Ftpm-tools.git;a=commitdiff_plain;h=63715ed - new, raw from fedora --- diff --git a/0001-Fix-build-with-OpenSSL-1.1-due-to-EVP_PKEY-being-an-.patch b/0001-Fix-build-with-OpenSSL-1.1-due-to-EVP_PKEY-being-an-.patch new file mode 100644 index 0000000..ed43ed0 --- /dev/null +++ b/0001-Fix-build-with-OpenSSL-1.1-due-to-EVP_PKEY-being-an-.patch @@ -0,0 +1,37 @@ +From 3acd773846a85d142e919e2f4eeeee1acea5ca3a Mon Sep 17 00:00:00 2001 +From: Michal Schmidt +Date: Mon, 20 Feb 2017 10:28:33 +0100 +Subject: [PATCH 1/3] Fix build with OpenSSL 1.1 due to EVP_PKEY being an + opaque struct + +With OpenSSL 1.1 the build fails with: +data_import.c:375:26: error: dereferencing pointer to incomplete type +'EVP_PKEY {aka struct evp_pkey_st}' + +The manual page[1] says: + Previous versions of this document suggested using + EVP_PKEY_type(pkey->type) to determine the type of a key. Since EVP_PKEY + is now opaque this is no longer possible: the equivalent is + EVP_PKEY_base_id(pkey). + +[1] https://www.openssl.org/docs/man1.1.0/crypto/EVP_PKEY_base_id.html +--- + src/data_mgmt/data_import.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/data_mgmt/data_import.c b/src/data_mgmt/data_import.c +index f534717f02..d4d2052bc6 100644 +--- a/src/data_mgmt/data_import.c ++++ b/src/data_mgmt/data_import.c +@@ -372,7 +372,7 @@ readX509Cert( const char *a_pszFile, + goto out; + } + +- if ( EVP_PKEY_type( pKey->type ) != EVP_PKEY_RSA ) { ++ if ( EVP_PKEY_base_id( pKey ) != EVP_PKEY_RSA ) { + logError( TOKEN_RSA_KEY_ERROR ); + + X509_free( pX509 ); +-- +2.9.3 + diff --git a/0002-Fix-build-with-OpenSSL-1.1-due-to-RSA-being-an-opaqu.patch b/0002-Fix-build-with-OpenSSL-1.1-due-to-RSA-being-an-opaqu.patch new file mode 100644 index 0000000..68d14bf --- /dev/null +++ b/0002-Fix-build-with-OpenSSL-1.1-due-to-RSA-being-an-opaqu.patch @@ -0,0 +1,192 @@ +From 72fe7011fe981f90a04a62a3fb6ad33037390dff Mon Sep 17 00:00:00 2001 +From: Michal Schmidt +Date: Mon, 20 Feb 2017 10:43:10 +0100 +Subject: [PATCH 2/3] Fix build with OpenSSL 1.1 due to RSA being an opaque + struct + +RSA is an opaque struct in OpenSSL 1.1. New getter functions must be +used to access the key components. The functions were not present in +OpenSSL 1.0, so add a compat header with the implementation of the +needed functions as suggested by the OpenSSL wiki [1] in order to allow +building tpm-tools with any version of OpenSSL. + +[1] https://wiki.openssl.org/index.php/1.1_API_Changes +--- + src/data_mgmt/Makefile.am | 3 ++- + src/data_mgmt/data_import.c | 52 ++++++++++++++++++++++--------------- + src/data_mgmt/openssl_compat.h | 58 ++++++++++++++++++++++++++++++++++++++++++ + 3 files changed, 92 insertions(+), 21 deletions(-) + create mode 100644 src/data_mgmt/openssl_compat.h + +diff --git a/src/data_mgmt/Makefile.am b/src/data_mgmt/Makefile.am +index de505e48ef..9457618ab9 100644 +--- a/src/data_mgmt/Makefile.am ++++ b/src/data_mgmt/Makefile.am +@@ -32,7 +32,8 @@ noinst_HEADERS = data_common.h \ + data_init.h \ + data_object.h \ + data_passwd.h \ +- data_protect.h ++ data_protect.h \ ++ openssl_compat.h + + # + # Common build flags +diff --git a/src/data_mgmt/data_import.c b/src/data_mgmt/data_import.c +index d4d2052bc6..532543f7d3 100644 +--- a/src/data_mgmt/data_import.c ++++ b/src/data_mgmt/data_import.c +@@ -39,6 +39,7 @@ + #include + #include + ++#include "openssl_compat.h" + + /* + * Global variables +@@ -691,8 +692,11 @@ createRsaPubKeyObject( RSA *a_pRsa, + + int rc = -1; + +- int nLen = BN_num_bytes( a_pRsa->n ); +- int eLen = BN_num_bytes( a_pRsa->e ); ++ const BIGNUM *rsa_n, *rsa_e; ++ RSA_get0_key( a_pRsa, &rsa_n, &rsa_e, NULL ); ++ ++ int nLen = BN_num_bytes( rsa_n ); ++ int eLen = BN_num_bytes( rsa_e ); + + CK_RV rv; + +@@ -732,8 +736,8 @@ createRsaPubKeyObject( RSA *a_pRsa, + } + + // Get binary representations of the RSA key information +- BN_bn2bin( a_pRsa->n, n ); +- BN_bn2bin( a_pRsa->e, e ); ++ BN_bn2bin( rsa_n, n ); ++ BN_bn2bin( rsa_e, e ); + + // Create the RSA public key object + rv = createObject( a_hSession, tAttr, ulAttrCount, a_hObject ); +@@ -760,14 +764,22 @@ createRsaPrivKeyObject( RSA *a_pRsa, + + int rc = -1; + +- int nLen = BN_num_bytes( a_pRsa->n ); +- int eLen = BN_num_bytes( a_pRsa->e ); +- int dLen = BN_num_bytes( a_pRsa->d ); +- int pLen = BN_num_bytes( a_pRsa->p ); +- int qLen = BN_num_bytes( a_pRsa->q ); +- int dmp1Len = BN_num_bytes( a_pRsa->dmp1 ); +- int dmq1Len = BN_num_bytes( a_pRsa->dmq1 ); +- int iqmpLen = BN_num_bytes( a_pRsa->iqmp ); ++ const BIGNUM *rsa_n, *rsa_e, *rsa_d; ++ const BIGNUM *rsa_p, *rsa_q; ++ const BIGNUM *rsa_dmp1, *rsa_dmq1, *rsa_iqmp; ++ ++ RSA_get0_key( a_pRsa, &rsa_n, &rsa_e, &rsa_d ); ++ RSA_get0_factors( a_pRsa, &rsa_p, &rsa_q ); ++ RSA_get0_crt_params( a_pRsa, &rsa_dmp1, &rsa_dmq1, &rsa_iqmp ); ++ ++ int nLen = BN_num_bytes( rsa_n ); ++ int eLen = BN_num_bytes( rsa_e ); ++ int dLen = BN_num_bytes( rsa_d ); ++ int pLen = BN_num_bytes( rsa_p ); ++ int qLen = BN_num_bytes( rsa_q ); ++ int dmp1Len = BN_num_bytes( rsa_dmp1 ); ++ int dmq1Len = BN_num_bytes( rsa_dmq1 ); ++ int iqmpLen = BN_num_bytes( rsa_iqmp ); + + CK_RV rv; + +@@ -821,14 +833,14 @@ createRsaPrivKeyObject( RSA *a_pRsa, + } + + // Get binary representations of the RSA key information +- BN_bn2bin( a_pRsa->n, n ); +- BN_bn2bin( a_pRsa->e, e ); +- BN_bn2bin( a_pRsa->d, d ); +- BN_bn2bin( a_pRsa->p, p ); +- BN_bn2bin( a_pRsa->q, q ); +- BN_bn2bin( a_pRsa->dmp1, dmp1 ); +- BN_bn2bin( a_pRsa->dmq1, dmq1 ); +- BN_bn2bin( a_pRsa->iqmp, iqmp ); ++ BN_bn2bin( rsa_n, n ); ++ BN_bn2bin( rsa_e, e ); ++ BN_bn2bin( rsa_d, d ); ++ BN_bn2bin( rsa_p, p ); ++ BN_bn2bin( rsa_q, q ); ++ BN_bn2bin( rsa_dmp1, dmp1 ); ++ BN_bn2bin( rsa_dmq1, dmq1 ); ++ BN_bn2bin( rsa_iqmp, iqmp ); + + // Create the RSA private key object + rv = createObject( a_hSession, tAttr, ulAttrCount, a_hObject ); +diff --git a/src/data_mgmt/openssl_compat.h b/src/data_mgmt/openssl_compat.h +new file mode 100644 +index 0000000000..2a60fdf492 +--- /dev/null ++++ b/src/data_mgmt/openssl_compat.h +@@ -0,0 +1,58 @@ ++/* ++ * Getter functions for OpenSSL < 1.1 compatibility. Based on code from: ++ * https://wiki.openssl.org/index.php/1.1_API_Changes#Adding_forward-compatible_code_to_older_versions ++ * and therefore: ++ * Copyright OpenSSL 2016 ++ * Contents licensed under the terms of the OpenSSL license ++ * See http://www.openssl.org/source/license.html for details ++ */ ++ ++#ifndef __OPENSSL_COMPAT_H ++#define __OPENSSL_COMPAT_H ++ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ ++#include ++ ++static inline void ++RSA_get0_key( const RSA *r, ++ const BIGNUM **n, ++ const BIGNUM **e, ++ const BIGNUM **d ) { ++ ++ if ( n ) ++ *n = r->n; ++ if ( e ) ++ *e = r->e; ++ if ( d ) ++ *d = r->d; ++} ++ ++static inline void ++RSA_get0_factors( const RSA *r, ++ const BIGNUM **p, ++ const BIGNUM **q ) { ++ ++ if ( p ) ++ *p = r->p; ++ if ( q ) ++ *q = r->q; ++} ++ ++static inline void ++RSA_get0_crt_params( const RSA *r, ++ const BIGNUM **dmp1, ++ const BIGNUM **dmq1, ++ const BIGNUM **iqmp ) { ++ ++ if ( dmp1 ) ++ *dmp1 = r->dmp1; ++ if ( dmq1 ) ++ *dmq1 = r->dmq1; ++ if ( iqmp ) ++ *iqmp = r->iqmp; ++} ++ ++#endif /* OPENSSL_VERSION_NUMBER */ ++ ++#endif /* __OPENSSL_COMPAT_H */ +-- +2.9.3 + diff --git a/0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch b/0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch new file mode 100644 index 0000000..1f18e8b --- /dev/null +++ b/0003-Allocate-OpenSSL-cipher-contexts-for-seal-unseal.patch @@ -0,0 +1,89 @@ +From c229bb590250bd9769cb5a63918ab0f6c9386be7 Mon Sep 17 00:00:00 2001 +From: Michal Schmidt +Date: Mon, 20 Feb 2017 12:00:39 +0100 +Subject: [PATCH 3/3] Allocate OpenSSL cipher contexts for seal/unseal + +Cipher contexts need to be allocated before using EVP_EncryptInit or +EVP_DecryptInit. Using a NULL context is invalid. + +Fixes: f50ab0949438 ("Support OpenSSL 1.1.0") +--- + lib/tpm_unseal.c | 12 ++++++++++-- + src/cmds/tpm_sealdata.c | 11 +++++++++-- + 2 files changed, 19 insertions(+), 4 deletions(-) + +diff --git a/lib/tpm_unseal.c b/lib/tpm_unseal.c +index fc4a84906a..005dab7f8f 100644 +--- a/lib/tpm_unseal.c ++++ b/lib/tpm_unseal.c +@@ -86,7 +86,7 @@ int tpmUnsealFile( char* fname, unsigned char** tss_data, int* tss_size, + int srkSecretLen; + unsigned char* res_data = NULL; + int res_size = 0; +- ++ EVP_CIPHER_CTX *ctx = NULL; + BIO *bdata = NULL, *b64 = NULL, *bmem = NULL; + int bioRc; + +@@ -408,7 +408,12 @@ int tpmUnsealFile( char* fname, unsigned char** tss_data, int* tss_size, + } + + /* Decode and decrypt the encrypted data */ +- EVP_CIPHER_CTX *ctx = NULL; ++ ctx = EVP_CIPHER_CTX_new(); ++ if ( ctx == NULL ) { ++ rc = TPMSEAL_STD_ERROR; ++ tpm_errno = ENOMEM; ++ goto tss_out; ++ } + EVP_DecryptInit(ctx, EVP_aes_256_cbc(), symKey, (unsigned char *)TPMSEAL_IV); + + /* Create a base64 BIO to decode the encrypted data */ +@@ -459,6 +464,9 @@ out: + } else + free(res_data); + ++ if (ctx) ++ EVP_CIPHER_CTX_free(ctx); ++ + return rc; + } + +diff --git a/src/cmds/tpm_sealdata.c b/src/cmds/tpm_sealdata.c +index a2157f34b1..e25244a0f4 100644 +--- a/src/cmds/tpm_sealdata.c ++++ b/src/cmds/tpm_sealdata.c +@@ -118,7 +118,7 @@ int main(int argc, char **argv) + char *passwd = NULL; + int pswd_len; + BYTE wellKnown[TCPA_SHA1_160_HASH_LEN] = TSS_WELL_KNOWN_SECRET; +- ++ EVP_CIPHER_CTX *ctx = NULL; + BIO *bin = NULL, *bdata=NULL, *b64=NULL; + + initIntlSys(); +@@ -343,7 +343,11 @@ int main(int argc, char **argv) + BIO_puts(bdata, TPMSEAL_ENC_STRING); + bdata = BIO_push(b64, bdata); + +- EVP_CIPHER_CTX *ctx = NULL; ++ ctx = EVP_CIPHER_CTX_new(); ++ if (ctx == NULL) { ++ logError(_("Unable to allocate cipher context\n")); ++ goto out_close; ++ } + EVP_EncryptInit(ctx, EVP_aes_256_cbc(), randKey, (unsigned char *)TPMSEAL_IV); + + while ((lineLen = BIO_read(bin, line, sizeof(line))) > 0) { +@@ -375,5 +379,8 @@ out: + BIO_free(bdata); + if (b64) + BIO_free(b64); ++ if (ctx) ++ EVP_CIPHER_CTX_free(ctx); ++ + return iRc; + } +-- +2.9.3 +